The average SamSam attacker has earned nearly $300,000 per month this year.

Edward Gately, Senior News Editor

August 3, 2018

8 Min Read
Cybersecurity Shield

There’s ransomware and then there’s SamSam, a ransomware campaign that’s more calculated and ruthless, and has so far netted nearly $6 million from its victims.

Sophos has been conducting a long-term investigation of SamSam since soon after it emerged in late 2015. The company estimates that the average SamSam attacker has earned nearly $300,000 per month this year.

To get the lowdown on SamSam, we spoke with Chet Wisniewski, Sophos research scientist. In many ways, SamSam is “completely different” from ransomware, he said.

Wisniewski-Chet_Sophos.jpg

Sophos’ Chet Wisniewski

“Mostly what we’ve been talking about for the last five years is what we call opportunistic or ‘spray and prey,'” he said. “You send out 100,000 emails with a malicious attachment, and you cross your fingers and hope somebody opens them somewhere, and when they do, you don’t know if that victim is going to be somebody’s aunt or uncle, or a small business or a hospital, so of course because it’s automated and bot-like, you set a generic price. [You] ask $500 per computer and hope the victim has $500. And they’ll try to target people in rich countries so that they’re likely to pay. That’s sort of the traditional model.”

SamSam, however, is being deployed by hand and the “criminal or criminals are literally going down the cyber walkway checking doorknobs to see if they’re loose, and if they see a door ajar or a handle that turns a little bit, they use their skills to break in, exploit the vulnerability, and they don’t just deploy the ransomware right away,” Wisniewski said.

“If they break into your business, they find a vulnerability, say in your web app, or if you’ve got an unsecured remote desktop protocol port open for remote access for your systems and that kind of thing — once they get in, now they actually kind of case the joint the way somebody would in a traditional burglary,” he said. “They start looking around [for] … the admin accounts, and can we write a script to disable them all at the same time? So that when we unleash the ransomware, none of the admins can log in. And they’ll look to see if the backups are online or offline.”

They’ll erase all backups so the target can’t recover as easily and is more likely to pay the ransom, Wisniewski said. The largest single ransom received by a SamSam attacker was nearly $65,000.

SamSam is a particularly thorough encryption tool, rendering not only work data files unusable, but any program that isn’t essential to the operation of a Windows computer, most of which aren’t routinely backed up. Recovery might require reimaging and/or reinstalling software, as well as restoring backups.

A common perception has been that SamSam has specifically targeted health care and government, but a closer look reveals that “no industry is really left unhit,” he said.

“I think what has distorted our view of these attacks historically is the types of organizations that are likely to admit that they had a problem is really the truth of it,” Wisniewski said. “When a hospital gets hit and they’re unable to accept patients in the emergency room, it’s a headline and we learn about it right away, and they explain to us what happened. The city of Atlanta, of course, is a civic organization that’s responsible to the taxpayers, so they can’t really sweep it under the carpet; whereas a private industry has a much bigger incentive to not really disclose that these things are happening to them. But this shows it is happening to them, sadly.”

As for protecting your organization from SamSam, the good news is it’s “not a lot of really hard stuff, it’s just focusing a little harder on …

… the basics and doing them a little better than you have been, and perhaps advancing some of your protocols,” he said.

There are a lot of opportunities for the channel to help companies fight off SamSam, Wisniewski said.

“We think that sadly this might be a template for other criminals to start copycatting just because it’s making so darn much money,” he said. “So I don’t think this type of problem is going to go away. It certainly is an opportunity for the channel to really double down on focusing [on] perimeter protection for those servers and stuff especially because that really seems to the be modus operandi in these groups. It’s not as much tricking people to open email that we’ve seen so much of this year. They’re really looking at the perimeter and seeing how they can get past that firewall [to] … exploit those servers … as a way to hold the whole company hostage. Because we’re still dependent on those servers for e-commerce and file sharing, and other things. So rather than hitting all the workstations, that seems to be more effective for them.”

FireEye Unleases MalwareGuard Machine-Learning Capabilities

FireEye has added MalwareGuard – a new advanced machine-learning-based detection and prevention engine – to its endpoint-security offering.

MalwareGuard is designed to help detect and block cyber threats to provide customers an added level of protection to stop attacks and protect customer information, sensitive data and intellectual property, the company said.

Montgomery-Phil_FireEye.jpg

FireEye’s Phil Montgomery

Phil Montgomery, FireEye’s vice president of product marketing, tells us his company’s new per-user pricing and channel focus allow partners to deliver to customers the “best endpoint solution in the market, with the highest level of protection.”

“In addition, we have strong endpoint detection and response (EDR) capabilities, which provides opportunities for partners to investigate endpoint threats and attacks, and respond to breaches,” he said. “This allows partners to build out the services side of their business.”

While machine learning is nothing new, it is “only as good as the data set that it is based on,” Montgomery said.

“We spent two years training our MalwareGuard model on unique, real-world public and private data from the front lines,” he said. “When combined with our firsthand knowledge of the threat landscape, this gives partners a significant advantage that’s not available elsewhere. Further, our FireEye Helix security-operations platform sits at the center of it all, making it easier for partners to integrate security tools from both FireEye and third parties into a security operations center (SOC) platform, simplifying management from alert to fix.”

Cofense Rolls Out Anti-Phishing Platform

Cofense, formerly PhishMe, has released its phishing-specific orchestration, automation and response (SOAR) platform designed to allow organizations to respond to phishing threats faster and with fewer resources.

The platform combines the capabilities of an improved Cofense Triage with a new product, Cofense Vision, which helps mitigate identified threats and potential impact by determining where else a potentially malicious email is lurking within an organization. It stores indexes and enriches email messages for …

… querying and quarantining before any damage occurs.

Robert Iannicello, Cofense’s vice president of global channel sales, tells us the combination of Cofense Triage and Vision provides partners with a “complete solution to address how they identify and respond to phishing attacks.”

Iannicello-Robert.jpg

Cofense’s Robert Iannicello

“By extending our clustering technology to all emails received by an organization, security operations teams will have the ability to find and quarantine the entire attack, even from users who have not reported,” he said. “The complete phishing SOAR solution will enable our partners to address a key missing piece of the incident-response puzzle and is applicable to all industries, regions and organization sizes. The broad applicability is a huge win for our customers and partners.”

Cofense is the only vendor to provide the channel with a complete solution to the phishing threat, Iannicello said.

“More than a decade ago, Cofense created the phishing-simulation space to help organizations increase resilience and reduce susceptibility to phishing attacks,” he said. “Now, Cofense is delivering its continued innovations to the channel with its phishing SOAR platform that combines human intuition with leading-edge technology to find and eliminate active phishing threats using fewer resources — regardless if the attacks bypass perimeter defenses.”

Pulse Secure Debuts Latest Network Access Control Offering

Pulse Secure recently announced Pulse Policy Secure 9.0, which aims to provide organizations an easier, more flexible and VPN-integrated path to next-generation network access control (NAC).

The latest release incorporates more than 36 new features and enhancements, advancing visibility, usability, endpoint and IoT security, and threat-response capabilities. As a result, enterprises can strengthen their security posture and mitigate malware, data breaches and compliance risks.

“Organizations understand NAC advantages for visibility, IoT security and threat mitigation, but perceive the technology to be cumbersome,” said Scott Gordon, Pulse Secure’s chief marketing officer. “The latest release … continues to advance our deployment, usability and integration capabilities while delivering enterprise-class functionality. With our unique means to offer a simple, unified NAC and VPN solution, we allow enterprises to gain essential intelligence, compliance and protection for remote, cloud and data center access.”

The new version further extends IoT device discovery, classification and management features with added means to ascertain new and custom IoT devices, and to apply policy for conditional access.

“Customers, independent of their size or vertical, are all looking for solutions that can be easily integrated and/or automated as they’re all strapped for resources,” said Dominic Grillo, president of Atrion Communications Resources, a Pulse Secure reseller partner. “We’re seeing significant growth being driven by the move to applications in the cloud – with Azure, AWS [and others] – and Pulse Secure 9.0 sets the customer up for this explosion of ‘things.'”

Read more about:

Agents

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like